All,
I would appreciate if anyone could provide clarification on my current understanding of Converged Access mobility design for WebAuth and guest access. My setup is as follows:
(WAP)---(MA)---(MC)---(Firewall)---(GA)
Wireless Access Point (WAP) - 3500
Mobility Agent (MA) - Cisco 3850 (running IPServices)
Mobility Controller (MC) - WLC 5760
DMZ Firewall
Guest Anchor (GA) - WLC 5508 (running 7.5.110.0 and new mobility feature enabled)
I have my mobility domain configured with an SPG and the 3850 MAs configured into the domain. All status indicators are up for MC to MA and MC to GA. The WAPs are connected to the 3850 MA and appear on the MA using the command 'show ap summary'. There are also a number of WAPs that associate directly to the 5760 MC.
My configuration on the MC has a guest wireless service using WebAuth, which anchors over to the GA. Clients connecting to the WebAuth service on WAPs associated directly to the 5760 MC receive and IP address from the GA DMZ and are redirected to the GA WLC. This is as expected with the usual centralized wireless model.
My initial thoughts with the Mobility Agents (MA) was that it was a simple case of pointing the 3850s to the MC and the wireless service (WLAN) configurations would automatically appear. Through configuration tests and converged access deployment guides, I now believe this to no longer be the case. Therefore, for MAs to advertise wireless services they have to be individually configured. Am I correct with my thoughts?
This was proved with a Secure 802.1x WLAN on the MA and it was a simple case of replicating the 5760 Secure WLAN on the MA.
For the deployment of WebAuth wireless services on the MA 3850 switches, I have not managed to find a guide that explains how an MA anchors wireless clients to the GA. I have found documents that describe combined MC/MA configurations to GA, but not when the 3850 is just an MA. Is it is case that:
1. MA WebAuth wireless service is configured to anchor to the GA using the command 'mobility anchor <GA IP Address>'. This would require the DMZ firewall to allow mobility tunnels between the MA to GA and MC to GA, or;
2. MA WebAuth wireless service is configured to anchor to the MC using the command 'mobility anchor <MC IP Address>'. This would mean the traffic from the MA for WebAuth is tunneled to MC and then onwards to GA.
I suspect option 1 is the correct method, but would appreciate confirmation.
Also, I have not configured a Mobility Oracle (MO) since I only have one MC and the GA. If it is advisable to do, then would it be best to enable the MO on the MC or GA?
Thanks in advance
Ian